#Old laptop, need tips

So because my laptop is old (2012, with an i3), i probably dont want my file system encrypted. Im not concerned with any physical security (this laptop is always home), so is not encrypting it fine? I would also be spooked by the cpu mitigations, it likely will turn performance into being non-existent, so could i do something about that if needed? And would those changes stay around after updates?

so is not encrypting it fine?

Fine by what measure? You preeempted your question with a set of conditions, implying you think it's fine, and then asked if it's fine.

it likely will turn performance into being non-existent

nosmt in particular may, although generally only for multithreaded workflows

so could i do something about that if needed?

kargs are only set by the user anyways, they aren't part of the image

i mean this laptop wont leave the house, so i dont need physical security, would secureblue work fine without encrypting the file system?

yes, the preinstall-readme is just a set of security recommendations, they have no bearing on functionality

I just want to make sure i do everything properly even if i might know the answers

if you want to set all the same kargs except nosmt, just copy all of this rpm-ostree kargs command and replace auto,nosmt with auto:

https://github.com/secureblue/secureblue/blob/live/config/files/usr/share/ublue-os/just/60-custom.just#L6

note that auto still sets all other mitigations, and this is the default kernel behavior for all linux distros

so i run all those commands myself and remove nosmt?

i will run the harden kargs command without nosmt

what does harden flatpak do?

so i run all those commands myself

no. just the kargs command.

if you already installed the image and yafti ran to completion at firstboot, then it's done already

Alright thanks

lmk if you have any other questions

Got a couple new questions:
If i wanted Brave (dont know yet), do i just layer it on or does it have some issues?

Is there a specific DNS set? And how would i change it myself

And syncthing, so about this and brave the question would be should i not be afraid of layering stuff, is it just fine (of course prefering flatpaks when able)

in the faq it also says i can use nix before considering layering it. So that would be the answer? I havent explored nix stuff yet, so im hoping it would be verifiable

And hopefully last question: Should i wait until fedora 40 or does it not matter

Ok i figured out "auditing" nix package sources

So i guess its like flatpak (unless it breaks something) > nix > rpm layering

Then just the DNS question

yes you can layer it locally by adding the repo file from the brave site to /etc/yum.repos.d/

Is there a specific DNS set?

no

layering is fine

user preference

yes unless you prefer not to use nix (some people dislike using multiple package managers)

Only question left is how do i change the DNS, is it just like normal by changing systemd resolved config?

preferably you'd change it on your router but yes config will do too

Should i wait until fedora 40 or does it not matter

wait due to what?

Well bluefin considers itself beta until fedora 40 because of something, but i guess it doesnt apply here

yeah but my router doesnt do encrypted dns so i think in my case the opposite is prefered

and sorry i have more questions:

1. If i wanted to change around kargs, do i just run the command again with what i want exactly or do i have to specify removing some things if i wanted to remove things
2. If i wanted to change desktop environment, do i just rebase? Are there going to be potential problems with that? Maybe like config conflicts

my router doesnt do encrypted dns

I'm not sure what that means. Your router doesn't run your DNS server, you just configure the target nameserver on your router and then DHCP gives that to each client

if that nameserver supports DoT, then it will work

do i have to specify removing some things i

you have to remove them one by one

If i wanted to change desktop environment, do i just rebase?

Yes

Are there going to be potential problems with that? Maybe like config conflicts

Not really. Worst I've seen is dark mode got turned off which takes 2 seconds to fix

What do you mean? Like if i had nosmt and i wanted to remove it, do i not just run the command again without nosmt

do i not just run the command again without nosmt

oh, for that you can use the replace functionality

so no, you can't just rerun the same command

Maybe it does do it properly-ish but i dont trust my router, especially since its unsupported now and was trash from the start

Can i have an example

https://docs.fedoraproject.org/en-US/fedora-coreos/kernel-args/#_replacing_existing_kernel_arguments

Alright thanks

I probably will install secureblue tomorrow

Do you think my 2012 i3 can run toolbox containers?

or podman, whatever it uses

probably

It's quite weak so, sure

is chromium just from fedora repos? Does it have vanadium patches?

is chromium just from fedora repos?

yes

Does it have vanadium patches?

no but per the readme we've gotten upstream fedora chromium to configure the build flags with the same secure config that vanadium uses. Plus all of the switches and policies we apply. It's not identical to vanadium but also a good number of the vanadium packages are for android only anyways

So it has everything desktop can have from vanadium?

it has everything desktop can have without applying build-time patches and building it ourselves

There are probably some differences, and so we would need to ask upstream to add those patches to the build

Yeah hopefully they do that

they won't unless we specifically request it, and even then possibly not

so far I've only requested build flags that are already done by Chrome / Vanadium

making a desktop build of vanadium is also an option, however it's a huge endeavour that would need its own project

building chromium on copr takes 20+ hours 🙂

Oh that's a lot more than I expected 😬

chromium is large

the codebase alone is over 100GB

just in text files

🙂

also, there are other benefits to using upstream Fedora's chromium

one is: more eyes on the codebase

if we're maintaining our own desktop vanadium fork, there are few eyes on the code

and in a similar vein, if we use upstream fedora, there are way way more users and so more bug reports

and generally a higher quality product in the end

also, the critical pieces already have parity, like enabling CFI which we asked upstream to do and they did it

I would need to go do an analysis of all the patches in vanadium, remove all the android ones, and then see which if any are remaining compared to fedora chromium

i suspect it's not terribly significant

Yeah that's what I wanted to ask

off the top of my head i don't know, but it should be pretty straightforward to check if you have time

Just the patches files?

you would just have to make a list of all the vanadium patches and cross out any that are just for android: https://github.com/GrapheneOS/Vanadium/tree/main/patches

most all downstream projects from chromium are going to be 90% patchfiles

since those just change the base project's code and then build it

but like, some of vanadium's patches have no security relevance, like this: https://github.com/GrapheneOS/Vanadium/blob/main/patches/0007-Vanadium-branding.patch

so we'd need to narrow down what specifically is missing that's relevant to desktop and relevant to security

also some of these are build flags that also exist as policy flags, so they're not needed: https://github.com/GrapheneOS/Vanadium/blob/main/patches/0018-disable-metrics-by-default.patch

I don't really trust myself on such an important thing but I'll take a peek maybe just to educate myself

another example is this build flag:

https://github.com/GrapheneOS/Vanadium/blob/main/patches/0017-disable-network-prediction-by-default.patch

vs this policy flag we already set:

https://github.com/secureblue/secureblue/blob/live/config/files/usr/etc/chromium/policies/managed/hardening.json#L16

maybe I should make a vanadium_comparison.readme.md or something with a big table of all the changes vanadium makes and whether they're relevant and if they're relevant how we accomplish them

That would be good for the faq

another one we already have accomplished via policies: https://github.com/GrapheneOS/Vanadium/blob/main/patches/0093-remove-translate-offer-preference.patch

https://github.com/secureblue/secureblue/blob/live/config/files/usr/etc/chromium/policies/managed/hardening.json#L26

can you create an issue for it so I don't forget

I will do it tomorrow night

Right now it's also night, and tomorrow I will be busy

ok

But I will get a free window to use my laptop

thanks

Thank you for making this cool thing

sure thing 🙂

I just made one https://github.com/secureblue/secureblue/issues/209

I get forbidden status code when I try to rebase to kinoite-nvidia-laptop-userns-hardened

Nevermind I have misspelled kinoite every single time in my life

And my updating issue seems to be network speed. Also when I downloaded the source code of something huge from GitHub it kept interrupting the connection probably cuz my router is so bad. So maybe that could happen when updating too? It doesn't stop though

Rebasing to unsigned image gave me "child process killed by signal 4" error when it was sanity checking final rootfs

Doing it again says it's the same refs so I guess that's fine

Running rpm-ostree rebase ostree-image-signed:docker://ghcr.io/secureblue/kinoite-nvidia-laptop-userns-hardened:latest gives me "preparing import: fetching manifest: containers-policy.json specifies default of insecureAcceptAnything; refusing usage

that means your rebase to the unsigned image failed

Well what do I do about sanity-checking: final rootfs: bwrap(/usr/bin/true): child process killed by signal 4

that means that validation is failing when it does a chroot on your hardware

it usually indicates hardware incompatibilities

ive only ever seen it once and it was someone using an old business machine with ECC memory which hardened_malloc doesn't support

I'm gonna try without Nvidia since I know Nvidia doesn't want to exist for me

i use nvidia images and they work for me so im not sure

Yeah but I think this motherboard's Nvidia implementation is windows exclusive

what kind of machine is this

Asus k53S laptop

Also fails without nvidia

try the asus images

also, are you able to rebase to ublue?

what image are you currently on

rpm-ostree status

There's Asus images?

https://github.com/orgs/secureblue/packages?tab=packages&q=asus

I got a dot next to fedora 39 kinoite

oh, try rebasing to ublue first

to make sure it's a secureblue issue

Alright

I also have the unverified image on there but I don't thinks it's used, do I have to remove it somehow?

on where

On rpm-ostree status

if you didn't pin any deployments, you dont need to do anything

just rebase to ublue unverified then to signed

Ok I will run rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/kinoite-asus-nvidia:latest

The unverified one first

ublue seems to have worked

cool what does rpm-ostree status show

Well I didn't reboot yet or rebased to signed image

But it said a bunch of stuff is queued to apply

I'm rebooting

Yeah the dot is on unverified ublue

This laptop is so scuffed

rebase to verified

how so

if after that and a reboot and the rebase to secureblue still fails with the bwrap validation issue, there's almost certainly a hardware incompatibility of some kind and we'll have to try to figure out what it is

Alright

I am on signed ublue

Rebasing to unsigned secureblue

Bwrap issue

Sanity-checking final rootfs: bwrap(/usr/bin/true): Child process killed by signal 4

Gonna investigate tomorrow 🫡

my guess would be some kind of hardware incompatibility with hardened_malloc

Can we find out?

I don't think I can take out anything though

So then what do I do about it

It will be tough. We'd have to incrementally add components into a custom build until it breaks to narrow down the issue. @jaunty steeple you have an image with partial changes right? we could start with that

what's the difference between your build and secureblue

So I'm gonna be making a custom image? I'm fine with that if I have some help which the ublue community seems to be pretty cool about. But our timezones seem to be opposites so not now but we can plan

So I'm gonna be making a custom image?

no, just for testing

step 1: identify which component is causing the issue
step 2: figure out a way to fix it, whether that's within secureblue or outside of it

also can you send your hardware details especially for your ram

You mean like kde system info stuff?

My ram is a weird value

like the actual make and model

of the hardware components

So open it up and look?

no 😄

by googling it

Alrighty then

I'm finding everything except the brand that it uses out of the box. There's tons of different models and bad info, Asus doesn't even have it on their website anymore. I also suspect the memory may have been upgraded by my dad at some point

It also definitely has different storage

This is why I'm only ever gonna buy a framework

Yep

memory may have been upgraded

it would be good to know whether it's ECC memory

what changes does it have

I don't think it is

ah okay

Also ddr3 only with up to 1333MT/s so whatever's in here is just cheap

it must be something else then

Blacklists are not included, this is the only change I could think of that would matter in this regard

Have you tried not using hardened malloc already?

also @unique garnet can you put your rpm-ostree status here

they can't rebase because the deployment chroot validation is failing

which means it's doing its job

Well I can't now, I'm gonna do that tomorrow

you can't what?

are you not on that machine currently?

No I'm on my phone

oh okay

Would it missing a battery cause problems?

basically what I'd recommend is use startingpoint/bluebuild based on whatever ublue image you're currently on. Then add stuff from secureblue in order from most to least likely to cause problems (for example, hardened_malloc + the LD_PRELOAD is highly likely, chronyd changes are highly unlikely) until you get the same error

then let me know which piece did it

Yeah I'll try, hopefully it's fun

it shouldn't take too long aside from the build times

it's almost certainly either:

hardened_malloc+ld_preload
modules blacklist
sysctls

Well apparently download speed is very bad for me

that will also make it take longer lol

I think my ISP is not cool

It seems bluebuild is the new thing so I'm gonna figure that one out

Is secureblue just made from the fedora atomic images, and shouldn't i be just taking secureblue and removing things from it instead of adding everything incrementally

Seems a lot faster

Building ublue-kionite-nvidia

Is there like some rule or can I abuse GitHub actions all I want

This thing is kinda crazy, builds everything for free

removing things from it

no because you can't layer a removal of something that's been added in a layer, due to a long standing rpm-ostree issue

https://tenor.com/view/asleep-steve-ballmer-yes-meme-microsoft-gif-18627126

micro$oft

Yeah I just read that

yeah, this is what you want: https://github.com/blue-build/template

I'm figuring out the recipe stuff now

Do I not have to add the gpg for the repos I add

what repos

When I add a repo to the rpm-ostree module

I'm guessing I dont have to do anything with yafti

Added hardened malloc and maybe LD preload hopefully

Im guessing that would be the problem

i know, what repos

for copr there's no need to add gpg i believe

or you can just set verification to false, temporarily

let me know

if you're able to rebase to an image with hmalloc, the next thing to check is the module blacklists

and if it's that, then you need to figure out which one 😄

Yeah that is the plan

Brave, just seeing how doing that would work, gave up

oh, brave works fine but you need to put the gpg key in the right folder

i don't remember where those go

I mean like to have it installed when installing the image

oh it's /etc/pki/rpm-gpg/

oh as part of the image? there's some weirdness there

you would need to ask in the ublue server

you'd need to use optfix

but for now can you just use chromium so we can find the issue source 😄

Yeah I'm just gonna use whatever's on there, brave was a side quest

Alright so it's hardened malloc

Should I try without LD preload, and then without hardened malloc but the blacklist stuff

Or is it definitely hardened malloc

This is the repo if you wanna check
https://github.com/kremzli/trashtopOS

I'm going to try without hardened malloc and LD preload

looking

lmao that name

if the only change you added to the base image is hardened_malloc then yes

after you confirm that, you can also try with libhardened_malloc-light.so

to see if that works

also, wait

what secureblue images did you try

did you try any of the -main images?

or just -nvidia?

Yes

I did main and nvidia

ah okay

I have a suggestion but it won't be fun

basically

rebase to ublue's kinoite-nvidia

then layer hardened_malloc locally, and set the ld preload

then reboot and see what fails

and then boot back into the previous deployment

I'm currently on ublue kinoite nvidia, so I'm gonna add hardened malloc

Do I have to pin this deployment

no but you can if it makes you feel more comfortable

How would this be not fun?

Rebooting now

Well it works but it looked a bit interesting

The terminal is more interesting

The ld preload cannot be preloaded

Ignored

😄

that doesn't make sense

you were able to boot?

ERROR: ld.so: object 'libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.

where is that error

Many times in the terminal

did you install it?

Yeah it's installed

what does this mean

what commands are you running

I ran nothing and it was there already, I ran rpm-ostree status and it appeared there too but the command did run

Status says nothing is currently layered on this deployment

But it did install

what does rpm -qa | grep hardened say

Nothing but that error still pops up

then it was not installed

That's quite weird cuz it didn't give an error during the install

what command did you run to install it

I put the repo in the yum repos directory and then just did rpm-ostree install hardened_malloc

strange

are you sure you booted into the new deployment and not the previous one

what's the full output of rpm-ostree status

It shows the one I have now with nothing on it and the previous one which had brave on it

can you post it

I'll get it

How do I make a codeblock

triple backticks

kremzli@fedora:/var/home/kremzli$ rpm-ostree status
ERROR: ld.so: object 'libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
State: idle
Warning: failed to finalize previous deployment
         error: Finalizing deployment: Finalizing SELinux policy: failed to run semodule: Child process exited with code 132
         check `journalctl -b -1 -u ostree-finalize-staged.service`
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
● ostree-image-signed:docker://ghcr.io/ublue-os/kinoite-asus-nvidia:latest
                   Digest: sha256:0655cb4a189f802effee1844bd7ae190c17de4430b92496233bc4521524b531e
                  Version: 39.20240219.0 (2024-02-19T16:23:17Z)

can you post the entire thing

kremzli@fedora:/var/home/kremzli$ rpm-ostree status
ERROR: ld.so: object 'libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
State: idle
Warning: failed to finalize previous deployment
         error: Finalizing deployment: Finalizing SELinux policy: failed to run semodule: Child process exited with code 132
         check `journalctl -b -1 -u ostree-finalize-staged.service`
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
● ostree-image-signed:docker://ghcr.io/ublue-os/kinoite-asus-nvidia:latest
                   Digest: sha256:0655cb4a189f802effee1844bd7ae190c17de4430b92496233bc4521524b531e
                  Version: 39.20240219.0 (2024-02-19T16:23:17Z)

  ostree-image-signed:docker://ghcr.io/ublue-os/kinoite-asus-nvidia:latest
                   Digest: sha256:0655cb4a189f802effee1844bd7ae190c17de4430b92496233bc4521524b531e
                  Version: 39.20240219.0 (2024-02-19T16:23:17Z)
          LayeredPackages: brave-browser

ok now can you post journalctl -b -1 -u ostree-finalize-staged.service

My message is too long

you can truncate it or use https://pastebin.com

What about a txt file

pastebin strongly preferred

https://pastebin.com/WisQ4iNh

hmm okay

rpm-ostree install hardened_malloc again but this time don't reboot after

just post rpm-ostree status after

Alright

kremzli@fedora:/var/home/kremzli$ rpm-ostree status
ERROR: ld.so: object 'libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object 'libhardened_malloc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
State: idle
Warning: failed to finalize previous deployment
         error: Finalizing deployment: Finalizing SELinux policy: failed to run semodule: Child process exited with code 132
         check `journalctl -b -1 -u ostree-finalize-staged.service`
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
  ostree-image-signed:docker://ghcr.io/ublue-os/kinoite-asus-nvidia:latest
                   Digest: sha256:0655cb4a189f802effee1844bd7ae190c17de4430b92496233bc4521524b531e
                  Version: 39.20240219.0 (2024-02-19T16:23:17Z)
                     Diff: 1 added
          LayeredPackages: hardened_malloc

● ostree-image-signed:docker://ghcr.io/ublue-os/kinoite-asus-nvidia:latest
                   Digest: sha256:0655cb4a189f802effee1844bd7ae190c17de4430b92496233bc4521524b531e
                  Version: 39.20240219.0 (2024-02-19T16:23:17Z)

  ostree-image-signed:docker://ghcr.io/ublue-os/kinoite-asus-nvidia:latest
                   Digest: sha256:0655cb4a189f802effee1844bd7ae190c17de4430b92496233bc4521524b531e
                  Version: 39.20240219.0 (2024-02-19T16:23:17Z)
          LayeredPackages: brave-browser

odd, okay, reboot and make sure you select the new (0 indexed deployment)

if you do so and it still shows hardened_malloc as not layered, I'll be at a loss

well i dont see grub when i boot but ill see if hitting a key makes it show up

but if after all this you still want to use secureblue, you'd have to use your custom image repo and just use secureblue as a base image and remove hardened_malloc

you don't even have to remove the rpm tbh

you can just overwrite the ld preload file

Well I couldn't get grub to show up

it defaults to 0

Yeah

It does have some very few errors but it's too fast

what's rpm-ostree status now

That top deployment doesn't exist anymore

Just the clean and previous brave one

And it says failed to run semodule: child process exited with code 132

Failed to finalize previous deployment

yeah something is very broken

and the semodule error is truncated in the pastebin

The journalctl thing?

So I can't even use the light option

Do I just remove the ld preload file

you can try it

Ok it's installing hardened malloc again

Yeah didn't work

So I'm gonna just base on secureblue and override the ld preload file to have nothing in it? Or remove it, haven't seen that much documentation yet. Will do that tomorrow

yeah just blank it out, or you can write a script to delete it. up to you

Does it auto update my repo?

does what auto update it?

bluebuild?

yeah, just enable the workflow in github actions

Like when you update, does my stuff update and build

yep, look here: https://github.com/kremzli/trashtopOS/blob/main/.github/workflows/build.yml#L4

just enable it in actions

if you haven't already

Yeah I'll see

Should I revoke permission for ublue image creator app

I don't have to copy all the package removals and stuff right? Only add my own changes

Yeah I dont

Don't I have to do something for auto updating? Does bluebuild just set it up to update from my repo

Is this name fine

https://github.com/kremzli/SecureishBlue

What about the changes to enable LD preload in flatpaks

I mean would it just not work and I'd be fine?

Finally it works

I still get ld preload errors

Even though there is no hardened_malloc or ld.so.preload file

It wouldn't run with hardened_malloc without LD preload so I made it remove both

It now complains about libhardened_malloc-light.so

Is that added in laptop images?

Even though I don't have the ld.so.preload file it says it should be in

I will do a fresh install maybe

Should I go through yafti on the unverified image? Also it gets stuck at the flatpak setup, doesn't accept

I also have no internet

It connects to my wifi but it doesn't get internet

These are gone after I reinstalled the entire thing

Don't know what to do about this

Ok I had to set my own dns

Epic router moment

Ok now only thing that doesn't work is yafti

If I put an IP in kde DNS settings then it uses encrypted DNS over TLS right?

But it's weird, chrome extension webstore's site can't be reached

Not my DNS, only on chromium, other sites work fine

I guess it isn't using my DNS

"tools.google.com" also can't be reached and it opened on first start

It was recommended to get ublock origin lite so idk how I'm gonna get that

I expect updates to be blocked too

Nix isn't included?

If it is available, then yes

Maybe chrome is using another dns?

There are secure dns settings in chromium you may want to take a look at

It's "managed by your administrator"

Right

Weird, it works on my machine with the default chromium settings

Yeah idk the DNS is broken if I don't add it myself

It really shouldn't be broken if your router provides dhcp

It does, never broke until now

yes in build.yml

Does bluebuild just set it up to update from my repo

it already uses DoT automatically if provided by your router

you don't need to do anything

Well I had to do that

both libraries are available in all images, only libhardened_malloc.so is set by default

had to do what to get what to work

Internet

i asked two questions 🙂

I had to set the DNS on the system, it wouldn't pick it up from the router

doesn't make sense but glad you got it fixed

Ok that's true

What dns does chromium have

none specified

Well why does the extension store not work

dns applies to your entire connection not just one application

it's impossible to know why a specific component of a specific app isn't working without doing more investigation, it could be dozens of things

Well I tested my DNS and it wasn't that

Will test with other browser tomorrow

Also yafti doesn't work for me, it just gets stuck at setup flatpak step

gets stuck how?

It just doesn't work, I press accept and it does nothing, I can go back but I can't go forward

i would need a screen recording to fully understand

I can do that tomorrow

I would expect it's because it can't find the ld preload file so it just doesn't do anything

ld preload gets ignored if it's missing so i doubt it

How do I run it again?

I tried before to type yafti in terminal and it said no config file or yafti. something

yafti -f /usr/share/ublue-os/firstboot/yafti.yml

Also is this name ok

https://github.com/kremzli/SecureishBlue

idc

insecureblue would be funnier though 😄

Will update it tomorrow